Question

Cert-manager dns propagation error

I setup ssl with cert-manager on digitalocean kubernetes. The certs were being issue until I decided to add two subdomains to my ingress rules the already existing ones are about 4.

When I apply the ingress rules, it returns an error saying that the following error

E1208 13:37:06.384727 1 sync.go:184] cert-manager/controller/challenges “msg”=“propagation check failed” “error”=“DNS record for “subdomain.example.io” not yet propagated” “dnsName”=“subdomain.example.io” “resource_kind”=“Challenge” “resource_name”=“example-letsencrypt-certificate-4047343803-758986247-1121119393” “resource_namespace”=“production” “type”=“dns-01”

  • I can access the services via the domain names although ssl is not enabled.
  • When I remove the two new subdomains, the certs are issued for the previously existing subdomains in the ingress rules
  • I accessed the digitalocean droplet via ssh and ran nslookup for the domains and one of them returns the correct dns information while the other returns the error server can’t find api.subdomain.example.io: NXDOMAIN
Subscribe
Share

I’m seeing DNS issues as well while provisioning certificates. My error is a little different though:

E1208 17:17:56.932846 1 sync.go:183] cert-manager/controller/challenges “msg”=“propagation check failed” “error”=“failed to perform self check GET request ‘http://www.example.ca/.well-known/acme-challenge/vPtOMYti6WOT7K7rCLNm8pod8EYL-o1t2wZyH1kK8sw’: Get “http://www.example.ca/.well-known/acme-challenge/vPtOMYti6WOT7K7rCLNm8pod8EYL-o1t2wZyH1kK8sw”: dial tcp: lookup www.example.ca on 10.245.0.10:53: no such host” “dnsName”=“www.example.ca” “resource_kind”=“Challenge” “resource_name”=“tls-certificates-gnkz7-1311519961-2702591492” “resource_namespace”=“default” “resource_version”=“v1” “type”=“HTTP-01”

The record works on my standalone droplet, and outside of DO. It does not seem to work from within the cluster from an Ubuntu pod.

root@my-shell-6f49bbd6bd-m4nfc:/# nslookup www.example.ca Server: 10.245.0.10 Address: 10.245.0.10#53

** server can’t find www.example.ca: NXDOMAIN

(www.example.ca is a stand-in for my actual DNS record)

OP, did you track down the root cause?


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!